[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
Phillip Hallam-Baker
hallam at gmail.com
Sat Nov 5 08:35:52 PDT 2011
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
This was my understanding and I raised it with EFF many months ago.
EFF is making a positive claim here. They are asserting that all 200 of
those LRAs are functional CA equivalents that can issue a cert for (say)
twitter.com.
The most that can be supported by the evidence they have is that we do not
know if those LRAs have that capability or not. Note that that is a
completely valid criticism and one that we are already moving to address.
But that is not the claim being advanced by the EFF 'THE SYSTEM IS BROKEN,
BROKEN I TELL YOU, SIX HUNDRED AND FIFTY POINTS OF VULNERABILITY'.
The claim made is just not true.
This industry and this system is a lot more complex than some of you give
us credit for. There is a problem in that for the past fifteen years it has
been operated on the basis of controlling commercial risk. It has not faced
attack by nation state level adversaries until this year.
If you want to be constructive then you have to be accurate in your
criticisms.
It does not help to run round accusing us of being uninterested in
security, only motivated by profit, a fraud etc. etc.
On Fri, Nov 4, 2011 at 10:34 PM, Matthias Hunstock <
matthias.hunstock at tu-ilmenau.de> wrote:
> Am 05.11.2011 01:42, schrieb Peter Eckersley:
>
> > In the case of the DFN subordinate that we observed beneath Deutsch
> Telekom's
> > root, my best estimate is that the private keys for its sub-CAs are
> > physically controlled by DFN (ie, only one place you could steal those
> private
> > keys from), but what they sign is determined remotely on computers at
> the 200
> > institutions named in these CAs
>
> It is not "determined" remotely what is being signed. A computer at one
> of the institutions can only "request" something to be signed, but of
> course there are controls in place. Among other things the certificate
> requests are filtered against a per-institution domain whitelist, where
> new entries are manually approved by DFN.
>
> So there is hardly any difference to a simple, paying customer of any
> commercial CA from a security point of view.
>
--
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111105/6e0ab1d1/attachment.html>
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Observatory
mailing list